Severe 0-day exploit in Java package "log4j2"

From: https://www.lunasec.io/docs/blog/log4j-zero-day/

Path of Exile isn't vulnerable to this, is it?

Pretty much everything is. But I expect GGG and Tencent are expert enough to react appropriately.

I've created another topic in "Help & Information" about this.
Because i think they (GGG) won't read too much in the offline section.

Here's the link to my post:
https://www.pathofexile.com/forum/view-thread/3221725

For such a severe issue (affecting probably billions of devices/applications/software/etc..), i'd appreciate any kind of information. and even if it is "under investigation".

why do you automatically think that they are using this java libary?
I not standard in any webserver configuration and their game is build in c++ so... where exactly would they use it? (and even there in most enterprise level linux distributions its already patched)

edit: and how the hell would allow unfiltered response through firewalls xD outbound rules with package inpection is standard today. I do understand its serious business, but any serious IT expert has defenses in place.

It's really a java thing. Eventhough what exists under the java wrap of Log4j is used in other environments, the RCE vulnerability requires java. And that's basically the dangerous one. A krangled JNDI LDAP lookup (basically looking for accounts) will only cause a DDOS.

Well GGG doesn't use java, for starters.

And if they did use log4j they wouldn't be able to say. That's bad security practice. Better to say nothing in this case (no sarcasm).


Lastly these lookups are terrible design. But for once I'll keep the rant to myself.


Have a nice time.